AWS Certified Solutions Architect — Associate Certification: Networking

What is VPC?

A VPC is an isolated segment of the AWS infrastructure allowing you to provision your cloud resources.

What is Subnet?

A subnet or subnetwork is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. AWS provides two types of subnetting one is public which allows the internet to access the machine and another is private is hidden from the internet.

VPC Subnet high availability

What is Network Access Control List(NACLs)?

It is an essentially virtual network-level firewall that is associated with each and every subnet. They help to control both ingress and egress traffic moving in and out of your VPC and between your subnets.

  • When you create a new subnet, it will also associate a network access control list. By default, this NACL will allow all traffic both inbound and outbound so it’s not secure.
  • The best practices around this are to configure your NACLs to only allow the traffic you want to come in and out of your subnet.
  • NACLs are stateless which means that any response traffic generated from a request will have to be explicitly allowed and configured in either the inbound or the outbound ruleset depending on where the response is coming from.
  • Network access control lists are a great way to control traffic that comes into and out of a particular subnet
  • NACLs works on a subnet level

What are Security Groups?

A security groups act as a virtual firewall at the instance level

What is NAT Gateway?

A NAT Gateway allows a private instance to be able to access the internet while blocking connections initiated from the internet.

NAT Gateway

What is VPN?

VPN(Virtual Private Network) is essentially a secure way of connecting two remote networks across the internet.

Virtual Private Network — VPN

What is Direct Connect?

Direct connect is a peer-to-peer file-sharing protocol. Direct Connect clients connect to a central hub and can download files directly from one another.

Direct Connect

What is VPC Peering?

VPC Peering

What is Transit Gateway?

AWS Transit Gateway simplifies your whole network connectivity. It allows all of your VPCs to easily communicate with one another and also communicate with your remote locations as well.

All the routing is managed centrally within that hub and when any new remote locations or VPCs are created, all you need to do is connect new VPCs to the AWS Transit Gateway.

AWS Transit Gateway

What is Elastic IP Address(EIPs)?

When architecting your infrastructure from a network perspective, you might have both public and private IP addresses.

When launching an EC2 instance you can select the subnet that will reside in and If you want EC2 to auto-assign a Public IP address.

If you select ‘enable’ then your instance will be launched with one of the AWS public IP addresses from their pool of available public addresses.

However, there will be times when you need a persistent IPv4 public IP address that you need to have associated with your instance, which is exactly what an Elastic IP Address provides.

If you no longer need the EIP, you must detach it from the associated instance and release it back to AWS.

  • If you associate an EIP to an instance that already has a polled public IP address
  • That pooled public address will be released and put back into the pool and your instance will take on the EIP address
  • You can’t convert an existing pooled public IP address to an EIP

What are Elastic Network Interfaces(ENIs)?

ENIs are logical virtual network cards within your virtual private cloud and your VPC that you can create, configure and attach to your EC2 instances.

You can also detach your ENI from one instance and reconnect it to another instance and the configuration of that ENI would move with it. For example, a private IP address and EIP address or its MAC address.

EC2 instances has a primary interface labeled as Eth0

When designing your solution and any requirements for multiple interfaces being attached to your instances, you will need to bear in mind that the quantity of interfaces is dependent on the EC2 instance type.


What is EC2 Enhanced Networking with the Elastic Network Adaptor(ENA)?

The Elastic Network Adapter (ENA), which is a custom interface used to optimize network performance.

If you are looking to enable enhanced networking features to reach speeds of up to 100 Gbps for your Linux compute instances, then you can do so using an ENA.

  • In addition to 100 Gbps speeds, enhanced networking offers higher bandwidth with increased packet per second(PPS) performance.
  • A big bonus of enhanced networking is that it is offered at no extra cost
  • When launching an instance using Amazon Linux 2 or with the latest version of the Amazon Linux AMI, then the instance will have enhanced networking enabled by default.
  • Providing its provisioned with one of the supported instance types mentioned earlier.

What is the VPC endpoint?

VPC Endpoint allows you to privately access AWS Services using the AWS internal network instead of connecting to such services via the internet using public DNS endpoints. This means that you can connect to the supported services without configuring an Internet Gateway, NAT Gateway, a Virtual Private Network, or a Direct Connect connection.

There are two types of VPC Endpoints:

  1. Interface Endpoints
  2. Gateway Endpoints

Interface Endpoint

The interface endpoint is essentially ENIs that are placed within a subnet that acts as a target for any traffic that is being sent to supported services are operated through the use of PrivateLink.

A private and secure connection between VPCs, AWS services, and on-premises applications, via the AWS internal network.

Interface Endpoint
  • When an interface endpoint is created for a service, a specific DNS name is created and is associated with a private hosted zone in your VPC.
  • Within this hosted zone a record set for the default DNS name of the service is created resolving to the IP address of your interface endpoint
  • As a result, any applications using that service already do not need to be reconfigured.
  • Requests to that service using the default DNS name will now be resolved to the private IP address of the interface endpoint and will route through the internal AWS network instead of the internet.

Gateway Endpoint

Gateway endpoint is a target that is used within your route tables to allow you to reach supported services, currently, the only supported services using a Gateway Endpoint are Amazon S3 and DynamoDB.

  • During the creation of your Gateway endpoint, you will be asked which route tables within your VPC should be updated to add the new Target of the gateway endpoint
  • Any route table selected with then have a route automatically added to include the new Gateway Endpoint
  • The entry of the route will have a prefix-list ID of the associated service(Amazon S3 or DynamoDB) and the target entry will be the VPC Endpoint ID
  • Example: Prefix list ID= pl-12345678, VPC Endpoint ID = vpce-12345
  • Gateway Endpoint is only worked for IPV4


Nadtakan Futhoem — Sr. Sotfware Engineer

Founder of & Serverless Cloud developer. Follow me on Twitter